Ahmed Nabil has more than 17 years of experience in the field of Information Technology/Systems, Infrastructure, Project Management, Information Security, Application development/Automation, and IT management. He holds several professional IT certifications from Microsoft, Cisco, ISACA, ISC2, PMI, CWNP, PECB, and EC- Council. Ahmed is an industry expert in Information Security and Digital Transformation, a public speaker at several international conferences (Microsoft Ignite the Tour, ITCamp Cluj, CISO Africa Summit, Egypt CSCAMP, SharePoint Saturdays, CloudWeekend, etc.
Ahmed is currently the Global Senior Information Technology and Security Architect Lead at one of the top Oil & Gas companies in the world. He was awarded the Microsoft Most Valuable Professional Award (MVP) in Enterprise Security/Cloud and Data Center Management for seven years in a row from 2013 to 2020, for his exceptional knowledge sharing and community leadership in Egypt and the Middle East Region. Ahmed received the MESA CISO 100 Award from the MESA conference held in Dubai for the top CISO executives in the Middle East and was a finalist in EC-Council CISO awards 2018 (Atlanta, U.S.). He was recently selected as a member of the EC-Council CCISO advisory board due to his Industry standing and deep experience.
In an exclusive interaction with Augustin Kurian of CISO MAG, Ahmed talks about his journey, threats lurking around cyberspace directed at the Oil & Gas industry, and his tips for aspiring cybersecurity professionals.
You had a stint in the North Africa region before moving to the Middle East, and that makes you a cybersecurity expert in the MENA region. Can you tell us how the Middle East differentiates from North Africa with regard to cybersecurity? Also, tell us how alike are these two regions?
I think in general the MENA region is becoming more vulnerable to security threats and attacks nowadays. While most of them are for-profit or for preventing companies to achieve their goals, we can find several attacks are political in nature, and that’s what might differ between both the Middle East and North Africa.
The Middle East is moving in more digital initiatives supported by Governments and the private sector, while in North Africa, its mainly focused on the private sector. Cybersecurity will differ from one country to another depending on the economy that differs between each one. Another interesting point is that the North Africa region, and due to limited budgets, went to developing their own internal security software, which can be an added value by saving cost, driving the country economics and controlling their security posture–or might raise some other risks if it’s not mature enough.
Other differences will stem from the societal influences that drive each of these regions.
You are currently the Global Senior Information Technology and Security Architect Lead at one of the top Oil & Gas companies in the world. You are in a space that is currently at the epicenter of cyber-attacks as well as physical attacks. How many espionage attacks from both business as well as state-sponsored attacks do you handle on a month?
Oil & Gas industry is leveraging technology and adopting different transformation projects which made it prone to cyber threats. The recent cyber threats caused significant disruptions to different energy, utilities, oil & gas organizations across the globe.
Typical Operations (SOC – Security Operations Center) will receive many attacks per month depending on the organization’s name, reputation, size, and exposure. Economic and political factors play a great role as well. Many of these attacks are targeted kind of threats.
The attack number is not what is received but rather what successfully penetrated the environment, which sometimes is not known. It’s very critical nowadays to have a solid 24×7 SOC team applying the latest technological advances such as artificial intelligence and machine learning. It’s a war and the well-prepared one will win.
Has there been a shift between the way attacks have been perpetrated towards Oil & Gas companies? Tell us a bit about the new trends in this space.
New technologies and trends are introduced to the Industrial and Oil/Gas sectors. A lot of companies are embracing these technologies like IoT and new industrial devices.
Defending against emerging attacks, such as industrial attacks and IoT is new and sometimes unknown to traditional security professionals, and that’s why new ICS and OT security professionals are introduced in the market. Generally, corporates should have the agility in their operations to apply it in all security processes. This works hand-in-hand with a good governance process ensuring security is part of any business system or application or process.
Tell us a bit about the need for clubbing cybersecurity with physical security in an industry like Oil & Gas corporations.
The fact that we are currently witnessing low oil prices mandated most of the Oil & Gas companies to think and adopt digitization across their companies, raising up more issues for cybersecurity.
A big problem will be focusing only on new technologies and logical control while ignoring other physical problems. Remember most of Oil & Gas sites and facilities are critical infrastructure assets for their countries. We should never forget that one of the main security principles is a defense in layers.
Responses to cyber-attacks must be multilayered, this includes Physical, technical and advanced and emerging threat vectors. Security should be integrated into every facet of an organization’s daily operation to cover the overall threat landscape.
You hold certifications like MSC, Microsoft MVP (Most Valuable Professional), CISSP, CISIM, CCSP, CCSIO, CEH, CHFI, CWSP, MCSE, MCSA, CCNP, ISO 27001 LI/LA and PMP. How much have certifications helped you groom your career progress?
It really helped a lot. Certificates are not meant to be just a badge on your shoulder or social media (although it’s nice to have), but I would really think of it as an opportunity for continuous learning. That’s the beauty of Technology and Security from my point of view, is that you need to continuously learn new things. Certificates are just proof that you have learned and mastered this topic, but it should not be your end goal.
I would recommend security professionals to be diversified and try to learn different topics, platforms, and technologies.
What are your thoughts on the skill gap in cybersecurity? How can these be prevented? What are your tips for upcoming cybersecurity professionals?
Cybersecurity is an evolving industry with a prominent issue of the skill gap. According to the latest surveys, unfilled cybersecurity jobs are expected to reach 1.8 million by 2022.
The problem is that this difference between supply and demand is allowing bad malicious hackers to use this for their own good. We need to admit that the typical formal cybersecurity education is not capturing the talent pool. We need to capture such talent (new generation) in a more innovative way since Cybersecurity itself is not a standard formal career.
More focus should be placed on information security-focused courses which put the student in specific topic-related content. Competitions like “Raise the Flag” are very helpful because these focus on the actual work instead of theory.
For becoming cybersecurity professionals, I believe, passion is the most crucial thing from my point of view. You need to love what you do. Next will be the right skills which are both technical skills and logical/analytical skills.
Technical skills are very wide-ranging from entry to specialized and expert experience. Security professionals tend to be all-rounders, which means they need to have some solid foundation in networking, scripting, operating systems, web technologies, before switching to a full security job. Also, logical and analytical thinking is a must since they will face new challenging problems. Security professionals need to develop a security mindset which is being able to think out of the box, and that’s where you will be targeted.